Everything your security and procurement team needs to evaluate Plugwright — our architecture-level controls, how we handle your data, our sub-processors, our compliance posture, and a signable Data Processing Agreement. We'd rather start with a review than a demo.
Plugwright deploys on your infrastructure and your Claude subscription, so these controls are designed into the architecture — there to review with your own security team, not bolted on after the fact.
The workspace, working trees, and credentials live on a server you control. Laptops are browser-only clients — a lost device exposes a session view, not your code or keys.
No static cloud keys or service-account secrets; short-lived, auto-rotated credentials scoped to your cloud, human access SSO-gated and de-provisioned in your IdP.
Outbound traffic passes a default-deny domain allowlist; secrets sit in a PKCE vault so neither humans nor the AI ever hold raw token values. Every call is logged.
The AI has no prod credentials and no prod network path. Changes land as PRs; promotion happens only through your existing CI/CD merge gate.
Access scoped to exactly what the work needs, capped by a permission boundary in your cloud's IAM — even a compromised agent can't escalate beyond your ceiling.
Every tool call, file edit, egress call, and approval is logged with actor + timestamp, persisted server-side, so you can reconstruct exactly what happened and on whose sign-off.
Code and data live on infrastructure you own/control; Plugwright operates inside it. We are a data processor acting on your documented instructions.
Your data is not used to train any model. Claude is run under your subscription/terms; we recommend Team/Enterprise or a Zero-Data-Retention deployment for sensitive workloads.
TLS 1.2+ in transit and encryption at rest are required in every engagement; access is via VPN/SSO with logging.
For EU workloads we offer a "Claude in Frankfurt, EU-resident, Zero-Data-Retention" tier via AWS Bedrock eu-central-1 (or Ireland/Paris) or Vertex AI EU regions.
Working data and session history are retained only for the engagement and deleted/returned on request or at contract end, per the DPA.
Capabilities are granted per tool and per stage; destructive actions require human approval at defined checkpoints. The AI's reach is a pull request, not your prod.
Third parties that may process data in an engagement. The exact set is scoped per client and listed in your DPA; we give advance notice of changes.
| Sub-processor | Purpose | Region (configurable) |
|---|---|---|
| Anthropic (Claude) | The AI model / Claude Code, under your subscription | US default; EU residency via Bedrock/Vertex |
| Your cloud (AWS / GCP / Azure) | Hosts the workspace + working trees (your account) | Your chosen region |
| Static host (Cloudflare / Netlify) | This marketing site only — no client data | Global CDN |
| Email / scheduling | Business comms & booking (no client production data) | Provider default |
We're a young firm and we won't claim certifications we don't hold. Here's exactly where we stand.
| Item | Status | Detail |
|---|---|---|
| Architecture-level controls | ● By design | The controls above are built into the deployment architecture — configured at install, not bolted on afterward |
| GDPR — DPA + EU SCCs + TIA | ● Available | Signable DPA below; SCCs (Module 2) + Transfer Impact Assessment for India↔EU; UK IDTA on request |
| UAE PDPL / data residency | ● Supported | Contractual safeguards + Saudi/UAE-hosted delivery where required |
| SOC 2 (Type I) | ● In progress | Control policies are ISO 27001-aligned today; we stand up continuous-compliance monitoring (Vanta or Drata) ahead of the audit |
| ISO 27001 | ● On roadmap | Targeted once recurring revenue justifies the audit |
| Claude Partner Network | ● Enrolling | Claude Certified Architect track; Services Partner Directory |
We return signed paperwork within 24 hours. Start with whichever you need.
GDPR Art.28 DPA with EU SCCs + TIA. Review or sign before any personal data is shared.
View DPA template →Master Services Agreement (signed once) + per-project Statement of Work. Request the current versions.
Request MSA / SOW →Security questions or a vendor questionnaire? Email getplugwright@gmail.com — we'll walk your team through our architecture-level controls and our ISO 27001-aligned policy set today, and share the SOC 2 (Type I) report under NDA once that audit completes.